Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <n69hag$2if$1@ger.gmane.org>
Date: Sat, 2 Jan 2016 23:00:47 +0100
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: CVE Request: MantisBT SOAP API can be used to disclose confidential
 settings

Greetings,

Please assign a CVE ID for the following issue.


Description:

Until now, MantisBT sensitive config options were blacklisted to prevent 
their access via SOAP API (see config_is_private() function).

When a new config is added or an existing one is renamed, the black list 
must be updated accordingly. If this is not or incorrectly done, the 
config becomes available via SOAP API.

This was the case with the MantisBT master cryptographic salt 
(crypto_master_salt): it was incorrectly spelt.

To fix the problem as well as avoid future occurences, we are switching 
to a whitelist approach, i.e. listing all configs that *can* be accessed 
via SOAP.

Any MantisBT installation with SOAP API enabled should be patched, and 
immediately generate a new salt.


Affected versions:
 >= 1.3.0-beta.1

Fixed in versions:
1.3.0 (not yet released), possibly 1.3.0-rc.2 if we decide we need 
another release candidate before that.

Patch:
See Github [1]

Credits:
The issue was discovered by Paul Richards [2] and fixed by Roland Becker
(MantisBT Developer).

References:
Further details available in our issue tracker [3]


Best regards,
D. Regad
MantisBT Developer
http://www.mantisbt.org


[1] http://github.com/mantisbt/mantisbt/commit/7927c275
[2] https://sourceforge.net/p/mantisbt/mailman/message/32948048/
[3] https://mantisbt.org/bugs/view.php?id=20277

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.